Fixed #1026 (false positive: buffer access out of bounds)

This commit is contained in:
Daniel Marjamäki 2009-12-05 11:41:30 +01:00
parent 7f15fea735
commit 0b09c36851
2 changed files with 15 additions and 8 deletions

View File

@ -456,7 +456,7 @@ void CheckBufferOverrun::checkScope(const Token *tok, const char *varname[], con
(varid == 0 && Token::Match(tok, ("strcpy|strcat ( " + varnames + " , %str% )").c_str()))) (varid == 0 && Token::Match(tok, ("strcpy|strcat ( " + varnames + " , %str% )").c_str())))
{ {
size_t len = Token::getStrLength(tok->tokAt(varc + 4)); size_t len = Token::getStrLength(tok->tokAt(varc + 4));
if (len >= static_cast<size_t>(size)) if (len >= static_cast<size_t>(total_size))
{ {
bufferOverrun(tok); bufferOverrun(tok);
continue; continue;
@ -469,7 +469,7 @@ void CheckBufferOverrun::checkScope(const Token *tok, const char *varname[], con
MathLib::isInt(tok->strAt(6))) MathLib::isInt(tok->strAt(6)))
{ {
size_t len = MathLib::toLongNumber(tok->strAt(6)); size_t len = MathLib::toLongNumber(tok->strAt(6));
if (len > static_cast<size_t>(size)) if (len > static_cast<size_t>(total_size))
{ {
bufferOverrun(tok); bufferOverrun(tok);
continue; continue;
@ -482,7 +482,7 @@ void CheckBufferOverrun::checkScope(const Token *tok, const char *varname[], con
MathLib::isInt(tok->strAt(4))) MathLib::isInt(tok->strAt(4)))
{ {
size_t len = MathLib::toLongNumber(tok->strAt(4)); size_t len = MathLib::toLongNumber(tok->strAt(4));
if (len > static_cast<size_t>(size)) if (len > static_cast<size_t>(total_size))
{ {
bufferOverrun(tok); bufferOverrun(tok);
continue; continue;
@ -493,7 +493,7 @@ void CheckBufferOverrun::checkScope(const Token *tok, const char *varname[], con
if (varid > 0 && Token::Match(tok, "strncat ( %varid% , %any% , %num% )", varid)) if (varid > 0 && Token::Match(tok, "strncat ( %varid% , %any% , %num% )", varid))
{ {
int n = std::atoi(tok->strAt(6)); int n = std::atoi(tok->strAt(6));
if (n >= (size - 1)) if (n >= (total_size - 1))
strncatUsage(tok); strncatUsage(tok);
} }
@ -502,7 +502,7 @@ void CheckBufferOverrun::checkScope(const Token *tok, const char *varname[], con
if (varid > 0 && Token::Match(tok, "strncpy|strncat ( %varid% , %any% , %num% ) ; strncat ( %varid% , %any% , %num% )", varid)) if (varid > 0 && Token::Match(tok, "strncpy|strncat ( %varid% , %any% , %num% ) ; strncat ( %varid% , %any% , %num% )", varid))
{ {
int n = std::atoi(tok->strAt(6)) + std::atoi(tok->strAt(15)); int n = std::atoi(tok->strAt(6)) + std::atoi(tok->strAt(15));
if (n > size) if (n > total_size)
strncatUsage(tok->tokAt(9)); strncatUsage(tok->tokAt(9));
} }
@ -515,7 +515,7 @@ void CheckBufferOverrun::checkScope(const Token *tok, const char *varname[], con
while (tok2 && Token::Match(tok2, "strcat ( %varid% , %str% ) ;", varid)) while (tok2 && Token::Match(tok2, "strcat ( %varid% , %str% ) ;", varid))
{ {
charactersAppend += Token::getStrLength(tok2->tokAt(4)); charactersAppend += Token::getStrLength(tok2->tokAt(4));
if (charactersAppend >= static_cast<size_t>(size)) if (charactersAppend >= static_cast<size_t>(total_size))
{ {
bufferOverrun(tok2); bufferOverrun(tok2);
break; break;
@ -527,14 +527,14 @@ void CheckBufferOverrun::checkScope(const Token *tok, const char *varname[], con
// sprintf.. // sprintf..
if (varid > 0 && Token::Match(tok, "sprintf ( %varid% , %str% [,)]", varid)) if (varid > 0 && Token::Match(tok, "sprintf ( %varid% , %str% [,)]", varid))
{ {
checkSprintfCall(tok, size); checkSprintfCall(tok, total_size);
} }
// snprintf.. // snprintf..
if (varid > 0 && Token::Match(tok, "snprintf ( %varid% , %num% ,", varid)) if (varid > 0 && Token::Match(tok, "snprintf ( %varid% , %num% ,", varid))
{ {
int n = std::atoi(tok->strAt(4)); int n = std::atoi(tok->strAt(4));
if (n > size) if (n > total_size)
outOfBounds(tok->tokAt(4), "snprintf size"); outOfBounds(tok->tokAt(4), "snprintf size");
} }

View File

@ -831,6 +831,13 @@ private:
"}\n"); "}\n");
ASSERT_EQUALS("[test.cpp:4]: (error) Buffer access out-of-bounds\n", errout.str()); ASSERT_EQUALS("[test.cpp:4]: (error) Buffer access out-of-bounds\n", errout.str());
check("void f()\n"
"{\n"
" long bb[2];\n"
" write(stdin, bb, sizeof(bb));\n"
"}\n");
ASSERT_EQUALS("", errout.str());
check("void f()\n" check("void f()\n"
"{\n" "{\n"
" char str[3];\n" " char str[3];\n"